There's been a void for some time in the Ossec world - no pre-designed Windows deployment tools. Many people have been left with the option of either figuring this out themselves or sneaker-netting all around the company and installing and configuring the agents one at a time. One at a time was just not an option for me with a few hundred agents to install, so I figured it out - with some help. Now that the work has been done I'm trying to help fill that void so that other admins might be able to get this done and move on to the next project more quickly.
Our next step is to setup some scripts that will need to handle some key tasks for us to automate the install.
We need this script to:
a: determine where the Ossec Agent is installed
b: get the key for the machine we are deploying to and generate it's ossec.keys file
c: configure the Ossec Agent to connect to our Server and
d: restart the Ossec service on our client PC so that it starts reporting
We might also want the script to perform some checks throughout the process and let our users know if the install failed so that they can let us know.
Here is the setup script for 32-bit machines (text shrunken to preserve formatting). You should keep the names of the script files as noted unless you are very familiar with MAKEMSI and can do the editing needed to the MSI build scripts.
ossec_distribute_keys.cmd
<*Begin copy here*>
@ECHO OFF
::*****************************************
::* SET YOUR OSSEC SERVER IP ADDRESS *
::*****************************************
SET OSSECSERVER=***Ossec Server IP here***
::*******************************************************************************************************
::* DEFINE OSSECPATH VARIABLE AS SET BY THE Ossec HIDS INSTALLATION IN THE WINDOWS REGISTRY *
::*******************************************************************************************************
FOR /f "tokens=1-2,*" %%i in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\ossec
^| find "Install_Dir"') do SET OSSECPATH=%%k
IF "%OSSECPATH:~-1%"==" " SET OSSECPATH=%OSSECPATH:~0,-1%
::*********************************************************************************************
::* VERIFY THAT OSSEC INSTALLED SUCCESSFULLY BEFORE PROCEEDING TO CONFIGURATION *
::*********************************************************************************************
IF DEFINED OSSECPATH (ECHO Ossec installation found at %OSSECPATH%. Continuing with configuration.)
IF NOT DEFINED OSSECPATH GOTO EXIT_ON_ERROR
::****************************************
::* CHECK FOR MASTER CLIENT KEYFILE *
::****************************************
IF EXIST "%CD%\ossec.keys" ECHO Client keyfile index found - Getting security configuration information.
IF NOT EXIST "%CD%\ossec.keys" GOTO MASTER_KEYFILE_NOT_FOUND
::*******************************************
::* ENABLE DELAYED VARIABLE EXPANSION *
::*******************************************
@ECHO OFF > "%OSSECPATH%\client.keys" & SETLOCAL ENABLEDELAYEDEXPANSION
::********************************************************************************************************
::* FIND COMPUTERNAME IN MASTER KEYFILE THEN GENERATE SPECIFIC AGENT KEYFILE IN OSSECPATH *
::********************************************************************************************************
findstr /I /C:"%COMPUTERNAME%" ossec.keys > "%OSSECPATH%\client.keys"
::***********************************************************************
::* CONFIGURE ossec.conf FILE BEFORE RESTARTING OSSEC HIDS SERVICE *
::***********************************************************************
SET LINE1=^<ossec_config^>
SET LINE2= ^<client^>
SET LINE3= ^<server-ip^>%OSSECSERVER%^</server-ip^>
SET LINE4= ^</client^>
SET LINE5=^</ossec_config^>
ECHO !LINE1!>>"%OSSECPATH%\ossec.conf"
ECHO !LINE2!>>"%OSSECPATH%\ossec.conf"
ECHO !LINE3!>>"%OSSECPATH%\ossec.conf"
ECHO !LINE4!>>"%OSSECPATH%\ossec.conf"
ECHO !LINE5!>>"%OSSECPATH%\ossec.conf"
::**************************************
::* Restart Ossec Service and begin monitoring *
::**************************************
NET STOP OSSECSVC
NET START OSSECSVC
::**************************************************************************************
::* NOTIFY USERS/TECHS THAT INSTALLATION AND CONFIGURATION WAS SUCCESSFUL *
::**************************************************************************************
MSG * Ossec HIDS installation and configuration completed successfully. Click OK to exit
::***********************************************************************
::* DELETE SENSITIVE FILES ONCE INSTALL IS COMPLETE AND VERIFIED *
::***********************************************************************
DEL "%OSSECPATH%\ossec.keys"
DEL "%OSSECPATH%\ossec_distribute_keys.cmd"
EXIT
::*********************************************************
::* NOTIFY USERS/TECHS IF OSSEC INSTALLATION FAILED *
::*********************************************************
:EXIT_ON_ERROR
MSG * Ossec installation Failed. Please contact support for assistance.
EXIT
::***********************************************************
::* NOTIFY USERS/TECHS IF MASTER KEYFILE IS NOT FOUND *
::***********************************************************
:MASTER_KEYFILE_NOT_FOUND
MSG * Client keyfile not found - Manual security configuration required. Please contact support for assistance.
EXIT
<*End copy here*>
And here is the script for x64 machines
ossec_distribute_keys_x64.cmd
<*Begin copy below here*>
@ECHO OFF
::**********************************************
::* SET YOUR OSSEC SERVER IP ADDRESS HERE *
::**********************************************
SET OSSECSERVER=***Ossec Server IP here***
::*******************************************************************************************************
::* DEFINE OSSECPATH VARIABLE AS SET BY THE Ossec HIDS INSTALLATION IN THE WINDOWS REGISTRY *
::*******************************************************************************************************
SETLOCAL ENABLEDELAYEDEXPANSION
FOR /f "tokens=1-2,*" %%i in ('reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ossec
^| find "Install_Dir"') do SET OSSECPATH=%%k
IF "!OSSECPATH:~-1!"==" " SET OSSECPATH="!OSSECPATH:~0,-1!"
::*********************************************************************************************
::* VERIFY THAT OSSEC INSTALLED SUCCESSFULLY BEFORE PROCEEDING TO CONFIGURATION *
::*********************************************************************************************
IF DEFINED OSSECPATH (ECHO Ossec installation found at !OSSECPATH!. Continuing with configuration.)
IF NOT DEFINED OSSECPATH GOTO EXIT_ON_ERROR
::****************************************
::* CHECK FOR MASTER CLIENT KEYFILE *
::****************************************
IF EXIST "%CD%\ossec.keys" ECHO Client keyfile index found - Getting security configuration information.
IF NOT EXIST "%CD%\ossec.keys" GOTO MASTER_KEYFILE_NOT_FOUND
::*******************************************
::* ENABLE DELAYED VARIABLE EXPANSION *
::*******************************************
@ECHO OFF > %OSSECPATH%\ossec.keys & SETLOCAL ENABLEDELAYEDEXPANSION
::********************************************************************************************************
::* FIND COMPUTERNAME IN MASTER KEYFILE THEN GENERATE SPECIFIC AGENT KEYFILE IN OSSECPATH *
::********************************************************************************************************
findstr /I /C:"%COMPUTERNAME%" ossec.keys > "%OSSECPATH%\client.keys"
::***********************************************************************
::* CONFIGURE ossec.conf FILE BEFORE RESTARTING OSSEC HIDS SERVICE *
::***********************************************************************
SET LINE1=^<ossec_config^>
SET LINE2= ^<client^>
SET LINE3= ^<server-ip^>%OSSECSERVER%^</server-ip^>
SET LINE4= ^</client^>
SET LINE5=^</ossec_config^>
ECHO !LINE1!>>"%OSSECPATH%\ossec.conf"
ECHO !LINE2!>>"%OSSECPATH%\ossec.conf"
ECHO !LINE3!>>"%OSSECPATH%\ossec.conf"
ECHO !LINE4!>>"%OSSECPATH%\ossec.conf"
ECHO !LINE5!>>"%OSSECPATH%\ossec.conf"
::**************************************
::* Restart Ossec Service and begin monitoring *
::**************************************
NET STOP OSSECSVC
NET START OSSECSVC
::**************************************************************************************
::* NOTIFY USERS/TECHS THAT INSTALLATION AND CONFIGURATION WAS SUCCESSFUL *
::**************************************************************************************
MSG * Ossec HIDS installation and configuration completed successfully. Click OK to EXIT
::***********************************************************************
::* DELETE SENSITIVE FILES ONCE INSTALL IS COMPLETE AND VERIFIED *
::***********************************************************************
DEL "%OSSECPATH%\ossec.keys"
DEL "%OSSECPATH%\ossec_distribute_keys_x64.cmd"
EXIT
::*********************************************************
::* NOTIFY USERS/TECHS IF OSSEC INSTALLATION FAILED *
::*********************************************************
:EXIT_ON_ERROR
MSG * Ossec installation Failed. Please contact support for assistance.
EXIT
::******************************************************I*****
::* NOTIFY USERS/TECHS IF MASTER KEYFILE IS NOT FOUND *
::***********************************************************
:MASTER_KEYFILE_NOT_FOUND
MSG * Client keyfile not found - Manual security configuration required. Please contact support for assistance.
EXIT
<*End copy here*>
You'll need to edit the first variable to configure this to work in your environment.
SET OSSECSERVER=***Ossec Server IP here***
This should be pretty self-explanatory. The rest of the script should not need any modification. Save these files and tuck them away for now...we need to get our MAKEMSI scripts ready. These are quite a bit more complicated so i'll do my best to keep all of the configuration items on the tops of the scripts.
The reason for separate 32-bit and 64-bit configuration files is that even though the installs are somewhat similar, the differences that exist make it very difficult to merge the code into one file and I am trying to keep it as simple and easy to understand as possible so that everyone can follow what is happening in the scripts so that if there is something else that you need to do in your deployment you will be able to make those changes with minimal time and difficulty.
At this time you should, if you have not already, go ahead and setup a directory where you will place all of the files that will need. They should all be kept together so that everything works as designed. The directory I used is C:\MSIBuilds\ossec but of course you can put the files your anywhere on your dev box... as long as they are all together.
The rest of the files needed to place in your MSI Build directory (most of which I will provide here) are as follows...
Company.mmh
DEPT.mmh
ossec.keys - You should have your own by now so for security reasons I can't post mine.
OSSEC.mmh
ossec-agent-win32-version#.exe -Must be at least version 2.5 for the automated installation to work.
OssecHIDS.MM
OssecHIDS.rtf
OssecHIDS.VER
and
OssecHIDSx64.MM
You will likely want to edit the uisample.mmh file located in your main MAKEMSI install directory, C:\Program Files (x86)\MakeMsi for 64-bit machines or C:\Program Files\MakeMsi for 32-bit. Specifically, you will want to look at line 1088 of the uisample.mmh file.
Set this value to 1 instead of 0 for installs that you want to have a progress bar but no user interaction.
#define? UISAMPLE_REDUCED_UI_VALUE 0 ;;0 = normal, 1 = reduced UI (on install only)
The rest of the code has been generalized so you will want to fill in your information in them. Most of the code does not need to be edited, but if you want to customize the builds with your company information it will be very easy to do so. The few things that MUST be changed will be very clearly defined in the next post coming tomorrow.
By the end of tomorrows post you should be able to build customized and automated deployment MSIs for your companies and will be able to update them to the latest versions or setup deployments adding new machines in your companies in minutes instead of hours or days.
Tomorrow in Part 3 of the series I will tie it all together and show you how it works.
No comments:
Post a Comment